39.3 Securing HTTP Browser Connections

Using secure HTTP (HTTPS) improves the security of your Novell Vibe site. During installation, you can choose to configure your Vibe site for HTTP or HTTPS. After installation, you can force secure HTTP connections.

39.3.1 Preparing for Secure HTTP Connections

If you want users to access the Vibe site with a secure HTTP connection, you must configure Vibe with a root certificate and a server certificate. The root certificate identifies the root certificate authority (CA) for your Vibe site. The server certificate is customized for the specific server where Vibe is installed.

Understanding How Vibe Handles Certificates

Vibe uses a keystore to store certificates. The default keystore file that is installed along with Vibe is:

Linux:

/opt/novell/teaming/apache-tomcat/conf/.keystore

Windows:

c:\Program Files\Novell\Teaming\
                              apache-tomcat\conf\.keystore

The original certificate in the default keystore is sufficient for you to set up secure HTTP connections during initial installation, but it is self-signed and has an expiration date, so you cannot use it permanently. Soon after installation, you must obtain a permanent certificate. You can use a commercially signed certificate or a self-signed certificate. There are advantages and disadvantages to each approach.

  • Commercially Signed Certificate: The advantage to using a certificate signed by a commercial certificate authority (CA) is that browsers automatically accept these certificates. The disadvantage is that an additional step is required, with some wait time while you obtain the commercially signed certificate.

  • Self-Signed Certificate: The advantage to using a self-signed certificate is that it is quick and easy for you to do as the Vibe administrator. The disadvantage is that users receive a warning in the browser about the self-signed certificate the first time they access the Vibe site using secure HTTP. Users must manually accept the self-signed certificate, then the warning never occurs again.

After you obtain your permanent certificate, you can store it in the default Vibe keystore, or in a location of your own choosing. Vibe reads the location of its keystore from the following file:

Linux:

/opt/novell/teaming/apache-tomcat/conf/server.xml

Windows:

c:\Program Files\Novell\Teaming\
                             apache-tomcat\conf\server.xml

If you do not want to use the default keystore location, you must update the server.xml file to match the location you choose for your keystore.

Creating a New Keystore File

Rather than updating the Vibe .keystore file that is provided during installation, it is easier to create a new .keystore file, then import your signed certificate into it.

  1. Create a new directory where you want to create the new .keystore file, such as a certs directory in a convenient location.

  2. Change to the new certs directory.

  3. Make sure that you can access the keytool tool:

    Linux:

    /usr/java/jdkversion/bin/keytool
    

    Windows:

    c:\Program Files\Java\jdkversion\bin\keytool.exe

    For convenient use, you might need to add its location to the PATH environment variable.

  4. Use the following command to create a new .keystore file:

    keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore
    
  5. When prompted, specify a password for the new .keystore file, then confirm the password.

    IMPORTANT:The default password used by Tomcat is changeit. If you want to specify a password other than this, then you must also specify this password in the server.xml Tomcat configuration file, as described in Changing Your Password for the Keystore File.

    Do not forget the password you specify. The changes you make are not preserved when you upgrade Vibe.

  6. When you are prompted for your first and last name, specify the fully qualified DNS name of the Vibe server, such as vibe.yourcompanyname.com.

    You are then prompted for additional information about your organization:

    • Organizational unit

    • Organization

    • City or locality

    • State or province

    • Two-letter country code

  7. (Conditional) If you are planning to obtain a your certificate from a commercial certificate authority (CA), respond to the additional information prompts with accurate information appropriate to your organization.

    or

    (Conditional) If you are planning to generate a self-signed certificate, press Enter to skip through the prompts.

  8. When you are prompted whether the information you provided is correct, enter yes.

  9. Press Enter to use the same password that you specified in Step 5 as the key password for Tomcat.

  10. List the files in the certs directory to see that a new .keystore file has been created.

Changing Your Password for the Keystore File

If you want to specify a password other than changeit for your .keystore file, as described in Step 5 in Creating a New Keystore File, then you must also specify this password in the server.xml Tomcat configuration file.

NOTE:The password changes that you make are not preserved when you upgrade Vibe; you need to make these changes again after you upgrade.

  1. Change to the following directory:

    Linux:

    /opt/novell/teaming/apache-tomcat/
                               conf
    

    Windows:

    c:\Program Files\Novell\Teaming\apache-tomcat\
                               conf
    
  2. Open the server.xml file in a text editor.

  3. Locate the keystorePass attribute, then change the value of this attribute to your new password.

  4. Save and close the server.xml file.

Generating a Certificate Signing Request

  1. Use the following command to create a certificate signing request (CSR):

    keytool -certreq -alias tomcat -keyalg RSA 
            -file certreq.csr -keystore .keystore
    
  2. Enter the keystore password to create the CSR.

  3. List the files in the certs directory to see that a new certreq.csr file has been created along with the existing.keystore file.

  4. Use the certreq.csr file to obtain a signed certificate.:

    1. To use a commercial certificate authority (CA), continue with Submitting the Certificate Signing Request to a Certificate Authority (CA).

      or

    2. To use a self-signed certificate, skip to Using the Certificate Signing Request to Generate a Self-Signed Certificate.

Submitting the Certificate Signing Request to a Certificate Authority (CA)

You can find a commercial certificate authority (CA) on the Internet by searching for “certificate authority.” The process of obtaining a signed certificate varies from company to company. Each company provides instructions to assist you.

The certificate authority sends you a set of certificate files that you import into the Vibe keystore. Import these files into the same keystore that you used to create the original certificate request. You must import all of the files that you receive.

The following procedure is a guideline for importing the certificate into the Vibe keystore. Instructions might vary depending on the certificate authority.

  1. Change to the certs directory where you created the root certificate file and the server certificate file.

  2. Use the following command to import the root certificate file:

    keytool -import -alias root -trustcacerts -keyalg RSA -keystore .keystore
            -file CertificateAuthorityCert.der
    
  3. Enter the keystore password to add the root certificate to the Vibe keystore.

  4. Use the following command to import the SSL certificate file that you received from the certificate authority:

    keytool -import -alias tomcat -keyalg RSA -keystore .keystore
            -file certificate_name.cer
    
  5. Enter the keystore password to add the server certificate to the Vibe keystore.

Using the Certificate Signing Request to Generate a Self-Signed Certificate

If you do not want to wait to receive your signed certificate from a commercial certificate authority (CA), you can generate your own self-signed certificate using ConsoleOne or iManager. You must generate both a self-signed eDirectory root certificate file and a server certificate file.

NOTE:If you are using Active Directory rather than eDirectory, consult your Active Directory documentation for procedures comparable to those provided in this section.

Generating a Self-Signed Root Certificate File in ConsoleOne

A root certificate identifies the root certificate authority (CA) for your Vibe site. In this case, eDirectory is acting as the root certificate authority.

  1. On Linux or Windows, start ConsoleOne and authenticate to your eDirectory tree.

  2. Expand the Security container, right-click the Tree_Name CA object, then click Properties.

  3. Click Certificates > Self Signed Certificate.

  4. Click Validate to update the certificate status, then click OK to close the Certificate Validation dialog box.

  5. Click Export to export your eDirectory root certificate into a file that can be imported into the Vibe keystore file.

  6. Click Next to accept the default of No for exporting a private key file along with the root certificate.

  7. Select the output format for the root certificate file.

    Either DER or Base64 format can be imported into the Vibe keystore file.

  8. In the Filename field, specify the location (the certs directory where you created the certificate signing request) and the filename to use, such as SelfSignedRootCert.der.

  9. Click Next to display a summary of the options you have selected, then click Finish to generate the root certificate file.

  10. Click Cancel to close the Self Signed Certificate properties page of the Tree_Name CA object.

  11. Continue with Generating a Self-Signed Server Certificate File in ConsoleOne.

Generating a Self-Signed Server Certificate File in ConsoleOne

A server certificate is customized for the specific server where Vibe is installed.

  1. Click Tools > Issue Certificate.

  2. Browse to and select the certreq.csr file that you created in the certs directory, then click Next.

    This retrieves the contents of the CSR file into the CSR window.

  3. Click Next to accept the default of using an organization certificate authority.

  4. Select SSL or TLS as the type of server certificate that you need, then click Next.

  5. Select the validity period you want for the server certificate, then click Next.

  6. Review the information that you have provided, then click Finish.

  7. Select the output format for the server certificate file.

    Either DER or Base64 format can be imported into the Vibe keystore file.

  8. In the Filename field, specify the location (the certs directory where you created the Certificate Signing Request) and the filename to use, such as SelfSignedServerCert.der.

  9. Click Save to create the public-key certificate file.

  10. Exit ConsoleOne.

  11. Continue with Importing the Certificate Files into the Vibe Keystore.

Generating a Self-Signed Root Certificate File in iManager

A root certificate identifies the root certificate authority (CA) for your Vibe site. In this case, eDirectory is acting as the root certificate authority.

For additional information about this task, see Exporting the Organizational CA’s Self-Signed Certificate in the Novell Certificate Server Administration Guide.

  1. Log in to iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

  3. On the Roles and Tasks menu, click Novell Certificate Server > Configure Certificate Authority, then click the Certificates tab.

    This brings up the property pages for the Organizational CA, which include a General page, a CRL page, a Certificates page, and other eDirectory-related pages.

  4. Select Self Signed Certificate, then click Validate.

  5. Select Self Signed Certificate, then click Export.

  6. Deselect Export private key, then click Next.

  7. Click Save the exported certificate, then specify the location (the certs directory where you created the certificate signing request) and the filename to use, such as SelfSignedRootCert.der.

  8. Click Close.

  9. Continue with Generating a Self-Signed Server Certificate File in iManager.

Generating a Self-Signed Server Certificate File in iManager

A server certificate is customized for the specific server where Vibe is installed.

For additional information about this task, see Issuing a Public Key Certificate in the Novell Certificate Server Administration Guide.

  1. Log in to iManager.

  2. Click the Configure icon.

  3. Click Plug-in Installation, and verify that Novell Certificate Server Plug-ins for iManager is available in the Installed Novell Plug-in Modules list.

  4. Click the Roles and Tasks icon.

  5. Click Novell Certificate Server > Issue Certificate.

  6. Browse to and select the certreq.csr file that you created in the certs directory, then click Next.

  7. In the Key type section, select SSL or TLS, then click Next.

  8. In the Certificate Type section, select End Entity, then click Next.

  9. In the Subject name field, select the edit icon, then in the CN field specify either the DNS name or the IP address of the Vibe server.

  10. Fill in the other fields as appropriate, then click Next.

  11. In the Save to field, ensure that File in binary DER format is selected, then click Next.

  12. Review the certificate information, then click Finish.

  13. Click Download the issued certificate.

  14. Continue with Importing the Certificate Files into the Vibe Keystore.

Importing the Certificate Files into the Vibe Keystore

After you have obtained or generated a signed certificate, you must import the certificate files into the Vibe keystore. This section describes how to import the files associated with a self-signed certificate. For information about how to import the files for a certificate that you receive from a certificate authority, see Submitting the Certificate Signing Request to a Certificate Authority (CA).

  1. Change to the certs directory where you created the root certificate file and the server certificate file.

  2. Use the following command to import the root certificate file:

    keytool -import -alias root -keyalg RSA -keystore .keystore
            -file SelfSignedRootCert.der
    
  3. Enter the keystore password to add the root certificate to the Vibe keystore.

  4. Use the following command to import the server certificate file:

    keytool -import -alias tomcat -keyalg RSA -keystore .keystore
            -file SelfSignedServerCert.der
    
  5. Enter the keystore password to add the server certificate to the Vibe keystore.

    The new .keystore file is now ready to be added to your Vibe system.

  6. Use the following command to verify that the server certificates have been imported into the Vibe keystore:

    keytool -list -keystore .keystore
    
  7. Enter the keystore password, then verify that the certificates have been imported.

    You should see the text Your keystore contains 2 entries, followed by information about each certificate that you imported.

  8. Continue with Replacing the Original Vibe Keystore File with Your Permanent Keystore File.

Replacing the Original Vibe Keystore File with Your Permanent Keystore File

  1. Change to the following directory on the Vibe server:

    Linux:

    /opt/novell/teaming/apache-tomcat/conf
    

    Windows:

    c:\Program Files\Novell\Teaming\
                                 apache-tomcat\conf
    
  2. Rename the existing .keystore file to keystorebackup.

  3. Copy your new .keystore from the certs directory to the conf directory.

  4. Adjust the ownership and permissions of the new .keystore file to match those of the backed-up keystore file.

  5. Restart Vibe so that Vibe rereads the updated keystore file.

39.3.2 Implementing Secure HTTP Connections

When you run the Vibe installation program, you can choose between non-secure and secure HTTP connections, as described in HTTP/HTTPS Ports in Basic Installation in the Novell Vibe 3.3 Installation Guide.

39.3.3 Forcing Secure HTTP Connections

With additional configuration, you can force users from a non-secure HTTP connection to a secure HTTPS connection.

Using Novell Access Manager to Force Secure HTTP Connections

With Novell Vibe, you can use Novell Access Manager to force secure HTTP connections. For more information, see Configuring Single Sign-On with Novell Access Manager in Advanced Installation and Reconfiguration in the Novell Vibe 3.3 Installation Guide.

Configuring Tomcat to Redirect to Secure HTTP Connections

To reconfigure Tomcat, you must update two configuration files (both named web.xml) under two different directories (ssf and ssfs). The ssf directory name refers to SiteScape Forum, a legacy product name. The ssf directory contains the main Vibe Web application that you use when you interact with your browser. The ssfs directory name refers to SiteScape File System. The ssfs directory contains the Vibe WebDAV application that you use to access files on a remote WebDAV server from the Vibe site.

  1. Log in to the Vibe server with sufficient rights to edit the web.xml files (root on Linux, Administrator on Windows).

  2. Modify the web.xml file under the ssf directory:

    1. Change to the directory where the web.xml file is located.

      Linux:

      /opt/novell/teaming/apache-tomcat/
                                               webapps/ssf/WEB-INF
      

      Windows:

      c:\Program Files\Novell\Teaming\apache-tomcat\
                                               webapps\ssf\WEB-INF
      
    2. Make a backup copy of the web.xml file, then open the web.xml file in a text editor.

    3. Add the following security constraint at the bottom of the file, immediately above the </web-app> tag.

      <security-constraint>
        <web-resource-collection>
          <web-resource-name>Entire Application</web-resource-name>
          <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
      </security-constraint>
      
    4. (Conditional) If users access the Vibe site with Internet Explorer, find the following single line in the security constraint you just added:

       <url-pattern>/*</url-pattern>
      
    5. Replace it with the following set of lines:

        <!-- Patterns from web.xml.tmpl. -->
        <url-pattern>/a/*</url-pattern>
        <url-pattern>/ws/*</url-pattern>
        <url-pattern>/rss/*</url-pattern>
        <url-pattern>/atom/*</url-pattern>
        <!-- Patterns from subdirectories of webapps/ssf. -->
        <url-pattern>/applets/*</url-pattern>
        <url-pattern>/css/*</url-pattern>
        <url-pattern>/help/*</url-pattern>
        <url-pattern>/help_doc/*</url-pattern>
        <url-pattern>/i/*</url-pattern>
        <url-pattern>/images/*</url-pattern>
        <url-pattern>/js/*</url-pattern>
      

      For Internet Explorer, this list of URL patterns forces secure HTTP connections for everything except the /s/* pattern (document files with extensions such as .odt and .doc) and the /ical/* pattern (calendar .ics files).

    6. Save the modified web.xml file, then exit the text editor.

  3. Modify the web.xml file under the ssfs directory:

    1. Change to the directory where the web.xml file is located.

      Linux:

      /opt/novell/teaming/apache-tomcat/
                                            webapps/ssfs/WEB-INF
      

      Windows:

      c:\Program Files\Novell\Teaming\apache-tomcat\
                                             webapps\ssfs\WEB-INF
      
    2. Make a backup copy of the web.xml file, then open the web.xml file in a text editor.

    3. Add the following security constraint at the bottom of the file, immediately above the </web-app> tag.

      <security-constraint>
        <web-resource-collection>
          <web-resource-name>Entire Application</web-resource-name>
          <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
      </security-constraint>
      
    4. Save the modified web.xml file, then exit the text editor.

Adding the Apache Web Server to Force Secure HTTP Connections

You can set up the Apache Web server to front your Vibe site and use a meta refresh to redirect users to a secure URL.

  1. Install the Apache Web server on one server.

  2. Configure Apache to listen on port 80.

  3. Create an index.html file similar to the following example:

    <html>
    <head>
      <meta http-equiv="refresh" content="0;url=https://vibe_url" />
      <title>Redirected to Secure Vibe</title>
    </head>
    <body>
      This page is used to redirect to the Secure Vibe server. If your 
      browser does not automatically redirect you in a few seconds, click 
      <a href="https://vibe_url">here</a> to go to the secure page.
    </body>
    </html>
    
  4. Replace vibe_url with the URL to your Vibe site.

  5. Place the index.html file in the document root directory of the Apache Web server.

    Linux:

    /srv/www/htdocs
    

    Windows:

    c:\Program Files\Apache Software Foundation\Apache2.2\htdocs
    
  6. Restart the Apache Web server.

39.3.4 Defaulting to Secure HTTP URLs

Defaulting to Secure HTTP URLs in Vibe Links

Vibe includes URLs to locations on the Vibe site in various links throughout the Vibe system. By default, the URLs are formed with HTTP rather than HTTPS. You can reconfigure Vibe to default to HTTPS for Vibe site URLs.

  1. Log in to the Vibe server with sufficient rights to edit the ssf-ext.properties file (root on Linux, Administrator on Windows).

  2. Change to the following directory:

    Linux:

    /opt/novell/teaming/apache-tomcat/
                               webapps/ssf/WEB-INF/classes/config
    

    Windows:

    c:\Program Files\Novell\Teaming\apache-tomcat\
                               webapps\ssf\WEB-INF\classes/config
    
  3. Open the ssf.properties file in a text editor.

  4. Locate and copy the following lines:

    adapter.web.protocol=context-http
    servelet.web.protocol=context-http
    rss.web.protocol=context-http
    ical.web.protocol=context-http
    ssfs.web.protocol=context-http
    simpleurl.web.protocol=context-http
    
  5. Make a backup copy of the ssf-ext.properties file, located in the same directory with the ssf.properties file.

  6. Open the ssf-ext.properties file in a text editor.

  7. Paste the lines that you copied in Step 4 to the bottom of the file.

  8. Change http to https.

    adapter.web.protocol=context-https
    servelet.web.protocol=context-https
    rss.web.protocol=context-https
    ical.web.protocol=context-https
    ssfs.web.protocol=context-https
    simpleurl.web.protocol=context-https
    
  9. Close the ssf.properties file without saving.

  10. Save the ssf-ext.properties file, then exit the text editor

  11. Restart Vibe to put the change into effect.

Defaulting to Secure HTTP URLs in E-Mail Notifications

When an e-mail notification is sent from Vibe, Vibe includes a URL to the location on the Vibe site where the notification was sent. By default, the URLs in e-mail notifications are formed with http rather than https. You can reconfigure Vibe to default to https for Vibe site URLs.

  1. Log in to the Vibe server with sufficient rights to edit the ssf-ext.properties file (root on Linux, Administrator on Windows).

  2. Change to the following directory:

    Linux:

    /opt/novell/teaming/apache-tomcat/
                               webapps/ssf/WEB-INF/classes/config
    

    Windows:

    c:\Program Files\Novell\Teaming\apache-tomcat\
                               webapps\ssf\WEB-INF\classes/config
    
  3. Open the ssf.properties file in a text editor.

  4. Locate and copy the following line:

    ssf.secure.links.in.email=false
    
  5. Close the ssf.properties file without saving.

  6. Make a backup copy of the ssf-ext.properties file, located in the same directory with the ssf.properties file.

  7. Open the ssf-ext.properties file in a text editor.

  8. Paste the line that you copied in Step 4 to the bottom of the file:

    ssf.secure.links.in.email=false
    
  9. Change false to true so that the line now looks like this:

    ssf.secure.links.in.email=true
    
  10. Save the ssf-ext.properties file, then exit the text editor

  11. Restart Vibe to put the change into effect.

All system-generated e-mail notifications now default to secure HTTP URLs. However, all user-generated e-mails from the Vibe system follow the current user’s context. For example, if a user is logged in as HTTP and chooses to share an entry with another user, the link in the e-mail notification uses HTTP.